Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems

28 views

Published on

Guest lecture in the DAT300 graduate course of the Chalmers University of Technology in Gothenburg, Sweden.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Leveraging Multivariate Analysis to Detect Anomalies in Industrial Control Systems

  1. 1. LEVERAGING MULTIVARIATE ANALYSIS TO DETECT ANOMALIES IN INDUSTRIAL CONTROL SYSTEMS DAT300 presentation Mikel Iturbe Electronics and Computing Department Faculty of Engineering – Mondragon University Chalmers University of Technology, Gothenburg, Sweden September 15, 2016
  2. 2. <Prologue>
  3. 3. Introduction ADSs MSPC Ongoing work Conclusions About me 3
  4. 4. Introduction ADSs MSPC Ongoing work Conclusions About me • Born in Bilbao, Basque Country, 1987 • BSc in Computer Engineering (Mondragon Unibertsitatea 2008-2012) • MSc in ICT Security (UOC, UAB, URV 2012-2013) • PhD in ICS Security (Mondragon Unibertsitatea 2013-2017?) 4
  5. 5. Introduction ADSs MSPC Ongoing work Conclusions About us: Mondragon Unibertsitatea • Small, private, non-profit university in the Basque Country • Founded in 1997 (1943) • Some data (14/15) • 4 faculties • 3513 undergrad students • 615 Master students • 112 PhD students • Cooperative university • Transfer oriented research 5
  6. 6. Introduction ADSs MSPC Ongoing work Conclusions About us: Telematics team at Mondragon Unibertsitatea 6
  7. 7. </Prologue>
  8. 8. Introduction ADSs MSPC Ongoing work Conclusions Agenda 1. Introduction 2. Anomaly Detection Systems 3. Multivariate Statistical Process Control 4. Ongoing work 5. Conclusions 8
  9. 9. Introduction
  10. 10. Introduction ADSs MSPC Ongoing work Conclusions Industrial control systems CC-BY-SA 3.0 Kreuzschnabel, Schmimi1848, Wolkenkratzer, Brian Cantoni, Hermann Luyken, Beroesz 10
  11. 11. Introduction ADSs MSPC Ongoing work Conclusions Fieldbus Network Control Network Demilitarized Zone Corporate Network Internet PLC PLCPLC HMI Control Server Engineering Workstation HistorianData Server Field equipment Workstations Corporate Servers FieldDevicesFieldControllersSupervisoryDevices 11
  12. 12. Introduction ADSs MSPC Ongoing work Conclusions ICS vs. IT ICS networks IT networks Primary function Control of physical equip- ment Data processing and transfer Applicable Domain Manufacturing, processing and utility distribution Corporate and home environ- ments Hierarchy Deep, functionally separated hierarchies with many proto- cols and physical standards Shallow, integrated hierar- chies with uniform protocol and physical standard utili- sation Failure Severity High Low Reliability Required High Moderate Round Trip Times 250μs–10 ms 50+ ms Determinism High Low Data Composition Small packets of periodic and aperiodic traffic Large, aperiodic packets Temporal consistency Required Not Required Operating environment Hostile conditions, often fea- turing high levels of dust, heat and vibration Clean environments, often specifically intended for sen- sitive equipment System lifetime (years) Some tens Some Average node complexity low (simple devices, sensors, actuators) high (large servers/file sys- tems/databases) Brendan Galloway and Gerhard Hancke. Introduction to Industrial Control Networks. IEEE Communications Surveys & Tutorials, 15(2):860–880, 2012 Manuel Cheminod, Luca Durante, and Adriano Valenzano. Review of Security Issues in Industrial Networks. IEEE Transactions on Industrial Informatics, 9(1):277–293, 2013 12
  13. 13. Anomaly Detection Systems
  14. 14. Introduction ADSs MSPC Ongoing work Conclusions Intrusion Detection System • Mechanisms that monitor network and/or system activities to detect suspicious events that occur in them. • Main classification criteria in IDSs 1. Detection mechanism • Signature-based • Anomaly Detection Systems (ADS) 2. Scope • Host • Network 3. ICS Scope • Network • Process 14
  15. 15. Introduction ADSs MSPC Ongoing work Conclusions ADSs on ICSs • Active research topic • Data-driven methods gaining traction Bonnie Zhu and Shankar Sastry. SCADA-specific intrusion detection/prevention systems: a survey and taxonomy. In Proceedings of the 1st Workshop on Secure Control Systems (SCS), 2010 Robert Mitchell and Ingray Chen. A Survey of Intrusion Detection Techniques for Cyber Physical Systems. ACM Computing Surveys, 46(4), April 2014 15
  16. 16. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 16
  17. 17. Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring (a) Forbidden flow between PLC 1 and HMI 2. (b) Detail of the forbidden flow. Mikel Iturbe, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. Visualizing Network Flows and Related Anomalies in Industrial Networks using Chord Diagrams and Whitelisting. In Proceedings of the 11th Joint Conference on Computer Vision, Imaging and Computer Graphics Theory and Applications, volume 2, pages 99–106, Feb. 2016 17
  18. 18. Introduction ADSs MSPC Ongoing work Conclusions Visual Network Flow Monitoring Able to detect, based on whitelisting: • Forbidden connection • Forbidden port • Incorrect flow size (DoS) • Missing host 18
  19. 19. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature • We found a couple of relevant gaps in the literature. 1. Lack of visualizations 2. Almost no network & process level ADSs 19
  20. 20. Introduction ADSs MSPC Ongoing work Conclusions Gaps in literature “In order to make IDSs effective in protecting this kind of systems, it is then needed a set of multilayer aggregation features to correlate events generated from different sources (e.g. correlating events coming from the process network of a remote transmission substation with events coming from the office network of a control center) in order to detect large scale complex attacks. This probably represents the next research challenge in this field.” Ettore Bompard, Paolo Cuccia, Marcelo Masera, and Igor Nai Fovino. Cyber vulnerability in power systems operation and control. In Critical Infrastructure Protection, pages 197–234. Springer, 2012 20
  21. 21. Multivariate Statistical Process Control
  22. 22. Introduction ADSs MSPC Ongoing work Conclusions Multivariate data V1 V2 V3 … Vm O1 O2 O3 ... ... ... On • ICSs are multivariate by nature. 22
  23. 23. Introduction ADSs MSPC Ongoing work Conclusions Multivariate data It is not easy to monitor… • If variables are in their normal operation constraints • Correlations between different variables But, information can be expressed in a (smaller) set of non-measurable variables called Latent Variables or Principal Components 23
  24. 24. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY-SA 2.5 Charles Albert-Lehalle 24
  25. 25. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) • Dimensionality Reduction Algorithm • Linear combination of variables • Maximizes variance 25
  26. 26. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) CC-BY 2.0 Matthias Scholz, Approaches to analyse and interpret biological profile data. PhD Thesis. University of Potsdam, 2006 26
  27. 27. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           27
  28. 28. Introduction ADSs MSPC Ongoing work Conclusions Principal Component Analysis (PCA) X = TAPt A + EA           O11 . . . O1m O21 . . . O2m O31 . . . O3m ... ... ... ... On1 . . . Onm           Original values =           O′ 11 O′ 12 O′ 21 O′ 22 O′ 31 O′ 32 ... ... ... ... O′ n1 O′ n2           Scores [ V′ 11 . . . V’1m V′ 21 . . . V’2m ] Loadings +           e11 . . . e1m e21 . . . e2m e31 . . . e3m ... ... ... ... en1 . . . enm           Residuals 28
  29. 29. Introduction ADSs MSPC Ongoing work Conclusions PCA: Residuals PD - Pearson, K. 1901. On lines and planes of closest fit to systems of points in space. Philosophical Magazine 2:559-572. 29
  30. 30. Introduction ADSs MSPC Ongoing work Conclusions Multivariate Statistical Process Control • Statistical Control • Process-agnostic • We monitor the scores and the residuals on control charts. • Two univariate statistics: Dn = A∑ a=1 ( tan − µta σta )2 ; Qn = A∑ a=1 (enm)2 30
  31. 31. Introduction ADSs MSPC Ongoing work Conclusions Control Charts Time Value 31
  32. 32. Introduction ADSs MSPC Ongoing work Conclusions Anomaly Detection • Monitoring of control charts • If three consecutive observations go of bounds, the event is flagged as anomalous 32
  33. 33. Introduction ADSs MSPC Ongoing work Conclusions Anomaly Diagnosis • Once an anomaly is flagged, we diagnose its cause • Contribution (oMEDA) plots TE variables d2 A -90 -80 -70 -60 -50 -40 -30 -20 -10 0 10 XMEAS(1) José Camacho. Observation-based missing data methods for exploratory data analysis to unveil the connection between observations and variables in latent subspace models. Journal of Chemometrics, 25(11):592–600, 2011 33
  34. 34. Introduction ADSs MSPC Ongoing work Conclusions Application to Network Anomaly Detection • MSPC-based techniques can be used for network anomaly detection. • Variable parametrization. • Logs José Camacho, Gabriel Maciá Fernández, Jesús Díaz Verdejo, and Pedro García Teodoro. Tackling the Big Data 4 vs for anomaly detection. In Computer Communications Workshops (INFOCOM WKSHPS), 2014 IEEE Conference on, pages 500–505, April 2014. doi: 10.1109/INFCOMW.2014.6849282 José Camacho, Alejandro Pérez Villegas, Pedro García Teodoro, and Gabriel Maciá Fernández. PCA-based multivariate statistical network monitoring for anomaly detection. Computers & Security, 59:118–137, 2016. ISSN 0167-4048. doi: http://dx.doi.org/10.1016/j.cose.2016.02.008 34
  35. 35. Introduction ADSs MSPC Ongoing work Conclusions And in ICSs? • When looking at Process Data, we might be able to distinguish intrusions from disturbances using MSPC Mikel Iturbe, José Camacho, Iñaki Garitano, Urko Zurutuza, and Roberto Uribeetxeberria. On the feasibility of distinguishing between process disturbances and intrusions in process control systems using multivariate statistical process control. In 2016 46th Annual IEEE/IFIP International Conference on Dependable Systems and Networks Workshops (DSN 2016), 2016 35
  36. 36. Introduction ADSs MSPC Ongoing work Conclusions Work Hypothesis Therefore, it seems natural to link both worlds, and create a unified ADS for ICSs. 36
  37. 37. Ongoing work
  38. 38. Introduction ADSs MSPC Ongoing work Conclusions Process: Tennessee-Eastman James J Downs and Ernest F Vogel. A plant-wide industrial process control problem. Computers & Chemical Engineering, 17(3):245–255, 1993 38
  39. 39. Introduction ADSs MSPC Ongoing work Conclusions Network 39
  40. 40. Introduction ADSs MSPC Ongoing work Conclusions Challenges • Timestamp synchronization • Data processing complexity 40
  41. 41. Conclusions
  42. 42. Introduction ADSs MSPC Ongoing work Conclusions Conclusions • Anomaly Detection in ICSs is an active research field • Security visualizations in the field are still in their infancy • Multivariate Analysis can help finding process-level anomalies • Network variable parametrization opens the way to a multi-level, process-agnostic, ADS for ICSs. 42
  43. 43. thank you. miturbe@mondragon.edu iturbe.info

×